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INTRODUCTION 





This guide is about running a VPN with a 
raspberry-pl for accessing our local homework from 
outside our home. 

It goes over an openVPN installation for Raspbian 
and the configurations needed for our home router. 
Then the raspberry-pi or other device in our local 
network can be remotely accessible. We can use this 
UPN to do backups or share the VPN with our peers 
who would like to access our home base media 
library, especially handy in times of lockdowns. 


En jou! 


Visit the rest of the UPN-zine project: 
Tunnel Up / Tunnel Down 


zines.cucu.gr/prints/ tunnel-up-tunnel-down-en/ 


Troubleshooting OpenUPN 


zines.cucu.gr/prints/ troubleshooting-openvpn-en/ 


Tunnels and Smarthones 


zines.cucu.gr/prints/ tunnels-and-smar tphones-en/ 


Support the project by purchasing a physical copy! 
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INVENTORY 





pi = raspberry-pi 

0S = Operating System, here we mostly refer to the Raspbian O05 
ssh = remote connection from our laptop to pi, needs to be enabled 
during pis O05 installation, under interfacing options 

router = our local network’s public interface to the internet, which 
is also why it’s called the default gateway. 

IP = internet protocol 

pe = personal computer 

DHCP = Dynamic host configuration protocol 

a DHCP server automatically assigns an IP address to each host on the 
network. DHCP also assigns the subnet mask, the default gateway 
address, and the domain name system (UNS) address 

curl = command for downloading from the internet via the terminal 
bash = shell and command language for unix systems 

installation wizard = a tool to lead the user through an installation 
iptables = program that allows a system administrator to configure 
the Linux kernel firewall by filtering the incoming and outgoing 
traffic of the IP packets as well as forward them to other 
destination 

ip routes = command which adds new route in the routing table. 
routing table = a data table stored in a router or a network host 
that lists the routes to particular network destinations 

host = a device in the network 

nmap = command that scans the network, ports, also used for 
monitoring, security, discovering available hosts 

ISP = internet service provider 


internet interface id = the device’s connection, e.x wlan®, ethO, tun0 
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LOCAL NETWORK SETTINGS 





We can install a Debian flavor QS on a raspberry-pi, which is called 
Raspbian (see references in the CHEAT-SHEET). Here we will focus on 
setting up openUPN, which we may install as we would on a linux 
server/pc. Check out the zine ‘Troubleshooting openVPN’ for a thorough 
documentation of that method and how to debug errors. Or we can do 
it with the tool pivpn which is a wizard installer that guide us 


through the installation process. 


But before we dive into that, let’s investigate and prepare our general 
network setting. What is critical about installing a VPN server in our 
home network 1s how our ISP provides internet to our residency. If 
our home router/gateway is behind a larger area’s NAT, then our public 
IP doesn’t reflect our home’s gateway but that of a another box in 
the middle that we cannot conigure. This type of connection 1s called 
carrier grade or large scale NAT, and only if a public IPv6 is possible 
for our router, can we proceed with running a service such as an 


openUPN server from home. 


We can find out how we connect to the internet by checking our public 
IP on a website fe.x whatismyip.com) and verify that our router’s 
public IP is the same. To do that we login to our router’s web 
interface and look for the WAN settings. If the IPs are not the same, 
we can ask our ISP if we may get an I[Pv6 instead. However this guide 
focuses on IPv4 network setting, but 1t takes little changes to 


configure openvpn over IPv6 . 


HOW DCHP WORKS 





local network 
IPs taken from the DHCP 


server’s range 





Gur local network’s ~ - 
N 
IP are usy dynamically = - 


assigned, and the time one our router provided by 


our ISP is the default 


[anise \ DHCP server. We find our 


device holds an IP is based on 
the DHCP’s lease time. 





default DNS from our 


Enabling Authoritative ON, 
router’s web interface 


allows the DHCP server to keep 


track of the assigned IP 





addresses in the local 
network’s range, which VRL: our router’s IP 


is handy for mobile 


V 
devices to get their DHCP SAR EK 
dynamic and leased IP Paabied [| 
back when in and out 
of the network. This Authoritative ON 
option availabilty 


depends on the Server address range: 


router’s model. 
192.168.1.1 - 192.168.1.63 


1 WIND? Availabilit (2) (J 
prOneeT es of TTING Y days hours 
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aka lease time 


DNCHP CLIENT + STATIC IP 





The raspberry-p1 needs a local static IP. We can set it from pi’s 
settings or from our router or both. It should be outside the leased 
range of dynamic IPs. In the above schema, the range of dynamic IPs 
are up until 192.168.163, so we can choose one outside that range and 
ensure that it isn't taken by the router's own local IP either. In linux a 
‘routel’ or a “ip r | grep default" command will tell us the local IP of 
Our router, which is marked as the default gateway and our network's 
interface, called interface ID, ex ethd or wland. 


We ssh into our pi and in the file / etc/ dhcpcd.conf we look for 

"Example static IP configuration’, we uncomment the block and we edit 
the "static IP" to the one of our choice, ex 192.168.165. We add the 
gateway and dns' IP. And we also set the network's interface ID, e.x 


eth0, (a wired pi connection 











Network settings >1Pv4 or [Pvé 


Adds 


Address 
Netmask 


is faster and more stable). 
We restart pl. 


—_—_—_—— 


For adding a static IP with 


Gateway a GUI, we go to network 








DNS settings > ipv4 and pick the 
manual option, add netmask 

Revtes 299.259.299.0, and fill in our 

Address 

Netmask router’s IP. Adding DNS and 


Gateway 


ie eg 
Metric ——_—__——_—__{+ 






routes 1s optional. 


DOMAIN NAME FOR THE GATEWAY 





Next we move to set up a domain name to associate our home 
network’s external/public IP which 1s provided by our ISP and 
which periodically changes. If the ISP can set us up with a 
static IP, then we skip this step. In a home setting our router 
is also our main gateway to the internet. The goal is to be able 
to remotely access the pi behind our home gateway’s public IP 
via a VPN tunnel. We will also add a port in our router to 


forward to pi UPN’s open port. 


We can purchase a domain name from a hosting company or get 
one for free from Dynamic DNS services such as No-IP, Dyndns, 
Duckdns. Here we first give an example with a registered domain 
name in gandi.net, which provides an API that we can call locally 


to dynamically change the IP of the domain name’s DNS record. 


Once we obtained one, we can register for Gandi’s API and get 
the api key. There are plenty of libraries that help with 
changing the DNS record’s IP from a host. 

E.x https://github.com/ghitier/gandi-ddns. has a README for all 
steps involved in installing and running the code. 

We can find libraries when searching for ‘script refresh ip + 


<name of our hosting’s API> + our preferred coding language. 


DONS + OTHER ALTERNATIVES 





remote access to our home our home local network 
network from a mobile UPN client with the piUPN and other 


devices that could be 


mounted on the pl 





An example with No-IP 
DUNS hostname, 

which is a free and 
quicker method but a 
less private one, and ar 
requires our router to ah 
support the No-IP ae 


feature (see NO-IP link in 


y 


CHEAT-SHEET) is the 
following: We open a No-IP 


NAS f 
DISR 


account and create a hostname 
for free. Then in our router’s 
settings > advanced > DDNS, we 
select NO-IP as the service provider, and we enter our No-IP 
username, password and the No-IP hostname we created. 

Another method that doesn’t require any domain name creation, but it 
involves manual work: run a cron job from pi that fetches our public 
IP and emails this to us. Before we connect to the piUPN we edit our 
client’s certificate line under ‘The hostname/IP and port of the 


server, which starts with ‘remote’ with the IP sent from the email. 





INSTALLATION WITH PIUPN 





So far we have a static IP for the pi, and a method to 
retreive/resolve our router’s dynamic public IP which is the gateway 
to our home network. If our pl is connected to a monitor we can do 
“jp addr” to find its IP, or we try to ssh from our device with pi’s 
hostname with ‘ssh pi@raspberrypilocal. If we changed the default 
username ‘pl or the hostname, then our ssh command should reflect 
these changes. Mosh is an alternative to ssh for uniterrupted logins, 
which would prove handy to use it during our ssh session installing 
the openUPN. 

Once we are logged in the pi, we do a firewall check, with “sudo 
iptables -L’, which should indicate INPUT, FORWARD, OUTPUT have the 


“ACCEPT” policy (all requests should be accepted for the time being,) 


Phew, let’s get openVPN now! Download the pivpn installer with: 

curl -L https://install.pivpn.io/ | bash 

The above gets the tool and runs it with the bash intepreter. 
Before the wizard installer pops up, we are asked to give our root 
password. The wizard first asks weather we want openUPN or 
WireGuard installed, we go for the first in this example (see CHEAT- 
SHEET for pros & cons of each). The next steps go over: 

- confirming pi’s static IP 

- DNS we pick custom to add our default gateway/router’s IP 


- user choice 


CLIENT CERTIFICATES + PORT FORWARDING 





- adding the public IP or domain name for the clients to reach the 
pi’s UPN. Depending on what method we chose earlier, either having 
set a DUNS or a domain name for our router, we enter it here. 

- port and TLS encryption. Opting for the default settings (udp 
1194, ECDSA, and certificate size of 256bits is fine 

- and we shall opt for unattended upgrades too. 

The installer configures these options, generates the server keys and 
config file, and finishes with instructing us to generate a client 
profile with ‘pivpn add’. For this step we give a name for the 
client, and once the profile is created we send it to the device 
which we want to connect to the piVPN. We can scp or sftp to get 
the profile to our working station/laptop/mobile. The device which 
uses the client profile also needs to have openvpn installed. See how 


to get it for various 05 in the CHEAT-SHEET. 


Last step is to do port forwarding from our router to the piUPN’s 
port we set up earlier during the UPN’s configuration. Back to our 
router’s admin via the web browser, we look for port forwarding, it 
might be under advanced or firewall settings, depending on the 
router model. There we add a new port forward with the udp port 
number we gave during the pivpn’s installation, and pi’s static IP. 
Finally, we go to our device terminal and connect to piVPN with: 
openvpn --config <client_profile_file> 

Or from a smartphone we import the new client profile in the 


openvpn connect app. 


REMOTE BACKUPS 





When our pi VPN is tested and running, we can put it in good use. 
One such use would be for backing up our laptop’s files when we 
travel or when we work away from home. In the following example we 


use restic to do just this. 


In a terminal of the device we want to backup, we create a new 
user with: useradd -m backups 

To restrict restic execution only by root and the user backups 
check the restic docs which demonstrate the required steps to 
accomplsh it: 
https://restic.readthedocs.1o/en/stable/080_examples.html#backing-up- 


your-system-without-running-restic-as-root 


The destination where we keep our backups could be a directory of 
the pi itself, or an external disk mounted to the pi. We call it a 
repository, and it should have a dedicated user for ownership and 


the right permissions to write and read in the repository. 


Then we create ssh keys for the backups user and transfer its new 
public key to the repository owner’s home under .ssh/authorized_keys. 
From the vpn logs or from running an ‘ip addr’ in the pi, we mark 
the virtual IP of our pi, which is the IP associated with the 


interface id tunQ. 


OTHER USES FOR A PIVPN 





Then we initiate the backup repository with: 

restic -r sftp:pi@<virtual-ip>:/media/pi/backups init 

and we enter a password and save it for future itirations of the 
backup command as well as for restoring our backup data. Now if, 
for example, we want to back up our html files’ we run: 

restic -r sftp:pi@<virtual-ip>:/media/pi/backups --verbose backup 


/var/www/html 


What else can we do with a UPN running in our pi? Access our 
media files, and create client certificates for our peers so that 
they can access these files too. For instance we can mount a NAS 
external disk with our movies on the pi and give ssh access to 
others to reach the mount point via the terminal. Or enable access 
to the rest of the pi’s local network via the UPN. Or use it to 
tunnel all our traffic when we surf from public Wifi spots. 
Depending on what we want to do with the piUPN, we have to adjust 
pi’s routing table. E.x for openvpn clients to reach the internet via 
the piUPN tunnel we do: 

iptables -t nat -A POSTROUTING -s 10.8.6.8/24 -o eth -) MASQUERADE 
Where source ’=s is our tunnel subnet declared in the server.conf, 
and output *=o’ 1s the pi’s internet connection, so should indicate 
either the wired or wireless interface id. 

If we want to reach the local network behind the pivpn, we add 


“push route <local-network-subnet> netmask in the server.conf. 


CHEAT SHEET 





Install openVPN with pivpn wizard: 
Wwww.comparitech.com/blog/vpn-privacy/raspberry-pi-vpn/#Installing_Pi_UPN 

How DHCP works: 

www.networkworld.com/ar ticle/3299438/dhcp-defined-and-how-it-works.Atml 
www.lifewire.com/what-is-dhcp-2625848 

Add a static IP for the pi: 
raspberrypi.stackexchange.com/questions/379320/how-do-1-set-up-networking-wif1- 
static-ip-address-on-raspbian-raspberry-pi-os/?714288 744928 

Raspbian is a Debian based 0S optimized for the Raspberry Pi www-raspbian.org/ 
Dynamic update of DNS with Gandi 

vir tuallytd.com/post/dynamic-dns-using-gandi/ 

set up NO-IP with the home router: 

Www.noip.com/suppor t/knowledgebase/how-to-conf igure-ddns-in-router / 
Cloudflare alternative to no-ip 
medium.com/@mirrormirage0/configuring-dynamic-ip-auto-update-for-custom-domain- 
name-alternative-to-dyndns-noip-etc-5/alel0Uefd5 

access the router’s settings: 
www.pcmag.com/how-to/how-to-access-your-wi-fi-routers-settings 

Get openvpn client for various 0S: openvpn.net/openvpn-client-for-linux/ 
Pros and cons of VPN protocols WireGuard and openVPN 
restoreprivacy.com/vpn/wireguard-vs-openvpn/ 

Install restic for backups: restic.readthedocs.io/en/stable/020_installation.html 
restic.readthedocs.io/en/stable/040_backup.html 

General backup tips and scripts: 


www.debian.org/doc/manuals/debian-ref erence/ch1l0.en.html#_backup_and_recovery 
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